The NHS has been left reeling after a ransomware cyber attack led to patients being turned away and emergency services being re-routed.
A statement from the NHS pointed to a particular virus called Wanna Decryptor.
“The investigation is at an early stage but we believe the malware variant is Wanna Decryptor,” explained a spokesperson.
“At this stage, we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations.”
Wanna Decryptor first appeared around February 2017 and works by encrypting files on target computers before demanding a ransom be paid in the cryptocurrency Bitcoin.
How does Wanna Decryptor work?
The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link. Once it has been activated, the program spreads through the computer and locks all the files with the same encryption used for instant messages.
Once the files have been encrypted it deletes the originals and delivers a ransom note in the form of a readme file. It also changes the victim’s wallpaper to a message demanding payment to return the files.
How can you remove it?
Not by paying the ransom.
Security experts point out that some antivirus software is capable of catching the Wanna Decryptor virus.
“This particular ransomware is correctly identified and blocked by 30% of the AV vendors using current virus definitions. It is correctly handled by both Kaspersky and BitDefender,” said Phil Richards, the CISO at Ivanti.
“There is no public decryption (crack code) available at present.
“This malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect. Both of these actions require administrative privileges.”
Why was the NHS attacked?
Early reports suggest this was a speculative attack rather than a targeted one. The attackers reportedly asking for $300 to free up the system files, which seems to be on the low side.
An internal investigation is currently taking place, but the source of the intrusion could simply be an accidental phishing attack that hit its mark.
Others have suggested that it isn’t just Britain in the crosshairs.
“There is a component of the ransomware that spreads laterally, unconfirmed reports suggest this could potentially be via SMB shares or leveraging a recent Microsoft bug to spread,” Travis Farral, Director of Security Strategy for Anomali, told Mirror Tech.
Farral also pointed to attacks in Spain and Russia with the same malware as evidence this is not a targeted attack.
How does the NHS handle data?
Back in 2014, the NHS elected to swap its non-clinical patient database (prescriptions, payments, allergies for around 80 million people) from a system called Spine run by Oracle to a NoSQL distributed database running on an open-source stack.
That saves the NHS money as it no longer has to pay Oracle and also can employ widely available programmers familiar with SQL – one of the most basic data storage mediums in the industry.
But experts believe this has nothing to do with the speed and ferocity of today’s attack.
Dr Malcolm Murphy, technology director for Western Europe at Infoblox told Mirror Tech the chances of the two being related are “very slim”.
This was echoed by Gavin Millard, EMEA Technical Director at Tenable Network Security: “This doesn’t have any connection with the decision to deploy NoSQL.
“The ransomware would have most probably taken advantage of a known security issue in Microsoft’s desktop operating systems.”
Derek DuPreez, public sector IT specialist at Diginomica , added that the hack brings the NHS’s ambitious data plans into question.
“The NHS has been talking about making greater use of data to improve the efficiency of services, and to map and plan care,” he said.
“There is also increasing demand for the NHS to store more personal data from apps and wearable devices, so that doctors can monitor patients’ health more closely.
“It the data can’t be kept secure, that’s very worrying.”